Old Infostealer Resurfaces, Now Delivers Ransomware

Sometime near the start of the year, we noticed that the old malware family TSPY_USTEAL resurfaced. This information stealing malware now includes new routines including malicious packers, obfuscation, and bundling ransomware.

TSPY_USTEAL variants were seen in the wild as early as 2009, and is known to steal sensitive information like machine details and passwords stored in browsers. It can act as a dropper, dropping plugins or binaries in its resource section. The stolen information is stored in an encrypted .bin file, which is uploaded to a C&C server via FTP. This was part of the behavior of the previous variants, and continues on in newer variants.

A newer variant that we detect as TSPY_USTEAL.USRJ, drops ransomware—detected as TROJ_RANSOM.SMAR—on affected systems. These ransomware files are created by a new toolkit builder that gives the attacker full control over the ransomware’s behavior, from the types of files it will encrypt to the ransom note to be displayed.

We detect this toolkit as TROJ_TOOLKIT.WRN. Below are the features translated from Russian to English. Included are the file types to be encrypted, the ransom note, the appended extension to encrypted file, and the name of the dropped copy of the encoder.

The ransomware, TROJ_RANSOM.SMAR, drops a copy of itself in the user’s machine. It then encrypts certain files with the same icon and extension name. For example, it can add the extension .EnCiPhErEd on selected extension names like .LNK, .ZIP, etc., as marker. Next, it drops an image file containing the ransom details.

Figure 2. Ransom note

When encrypted files are accessed, it shows the ransom note along with the contact details to retrieve the password. The retrieval method may either be through a text message or an email. Next, it displays a message asking for the password. If password given is correct, it decrypts and restores the encrypted files to its original form. Consequently, the ransomware file deletes itself. On the other hand, if the password is incorrect and the number of attempts has reached the pre-set limit, it displays the error message shown below. It then searches for files to encrypt (besides the already-encrypted files) and deletes itself afterward.

Figure 3. Error message

This particular combination of threats is worrisome because it steals your credentials and information while the ransomware extorts additional money from the victim by encrypting their files. It’s highly probable that the malware author wanted to wring a fortune out of the victim, extorting any leftover funds from the same victim with the use of ransomware.

Feedback from the Trend Micro Smart Protection Network shows that there was a spike mid-April for TROJ_RANSOM.SMAR, with the United States as the affected country . Trend Micro protects users from all threats releated to this attack.

With additional analysis from Adremel Redondo and Nazario Tolentino II